fail2ban
29.10.2024
environmnt
- OS: Debian 12 bookworm
-
Kernel: x86_64 Linux 6.1.0-26-amd64
-
fail2ban/stable 1.0.2-2
install
Warning
Important to have python3-systemd isntalled too!
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Note
bc .local is persistent
configuration
most default settings are fine. listed are those ive changed.
general
nano /etc/fail2ban/jail.local
ignoreip = 1.2.3.4 110.120.130.140 150.160.170.0/24
Note
private and public ip otherwise you end up in jail (maybe)
Warning
after some change fail2ban.service has to be restarted
sshd
Info
ssh public key authentication ssh-keygen -t ed25519 has been generated and PermitRootLogin prohibit-password in /etc/ssh/sshd_config is enabled so f2b-sshd isnt really necesarry bc there is no passwordlogin available
nano /etc/fail2ban/jail.local
backend = systemd MUST be first line otherwise its not working. issue is well known.
vaultwarden
Info
2FA is enabled thus f2b-vaultwarden isnt really necesarry bc bruteforce wouldnt be successfull. mitm attack is a possible scenario
f2b files
Info
vaultwarden is installed through docker container like caddy reverse proxy
nano /etc/fail2ban/filter.d/vaultwarden.local
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
nano /etc/fail2ban/jail.d/vaultwarden.local
[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
banaction = %(banaction_allports)s
chain = FORWARD
logpath = /var/lib/docker/volumes/vaultwarden/_data/vaultwarden.log
maxretry = 5
bantime = 3600
findtime = 600
fail2ban-client set vaultwarden unbanip 1.1.1.1
caddyfile
vaultwarden.heyandy.org:443 { reverse_proxy vaultwarden:80 {. header_up X-Real-IP {remote_host} } }
Note
header_up X-Real-IP {remote_host} has to be added in caddyfile, otherwise local ip of container will be shown in vaultwarden.log
compose.yaml
env for vaultwarden/server:latest must be extended otherwise there are no logs from vaultwarden for login failures and thus fail2ban cant ban
start & troubleshoot
systemctl enable fail2ban (if necesarry) systemctl status fail2ban (*.service; enabled; preset; enabled; Active: active (running))
fail2ban-client start (if necesarry; it displays the cause if not succesfull)
fail2ban-client status fail2ban-client status sshd fail2ban-client status vaultwarden
systemctl restart fail2ban.service journalctl -f less /var/log/fail2ban.log
grep -srni "journalmatch" /etc/fail2ban/filter.d/
Note
useful to see which service is binded to each jail (doesnt work with docker container bc service is running in docker.service)
fail2ban-client set sshd unbanip
Tip
can be used to test if client is working to try unban none existence ip
fail2ban-client set sshd banip
iptables -L f2b-sshd -v -n --line-numbers
fail2ban-client set vaultwarden unbanip
Tip
can be used to test if client is working to try unban none existence ip
less /var/lib/docker/volumes/vaultwarden/_data/vaultwarden.log iptables -L f2b-vaultwarden -v -n --line-numbers
help
fail2ban
- https://wiki.archlinux.org/title/Fail2ban
- https://www.the-art-of-web.com/system/fail2ban/
- https://seifer.guru/2021/01/2021-01-fail2ban-with-nginx-in-container/
- https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc
- https://docs.docker.com/engine/network/packet-filtering-firewalls
- https://www.reddit.com/r/selfhosted/comments/srrg7n/fail2ban_and_docker/?rdt=41758
- https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057
- https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc
sshd
vaultwarden
- https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
- https://github.com/dani-garcia/vaultwarden/issues/973
- https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
- https://github.com/dani-garcia/vaultwarden/wiki/Logging